Krebs on Security

In-depth security news and investigation

Would You Have Spotted this ATM Fraud?

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods.

Indeed, police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there. The device reportedly was discovered On Sunday, Feb. 28, at around 1:30 p.m., by an ATM technician (no one I’ve asked has been able to explain why the technician was there on a Sunday in the first place, but I digress). According to the Alexandria Police, the technician spotted the skimming device attached to the card reader on the ATM, snapped some pictures of it, and then went inside the bank to notify the bank’s security office. When he returned a few minutes later, the skimmer had been removed.

ATM skimmer found on a Wachovia ATM in Alexandria Feb. 28.

Skimmers are typically placed at the mouth of the card acceptance slot, and designed to record the data off of the magnetic strip on the back of a customer’s ATM card when he or she inserts the card into the machine. Usually, thieves will plant another device used to record the customer’s PIN, such as a hidden camera or a PIN pad overlay. With the data from the magnetic strip and the customer’s PIN, the thieves can later clone that ATM card and use it to withdraw cash. The police in this case couldn’t say whether there was also a PIN stealing apparatus attached to the ATM, although it seems likely that the technician simply overlooked it.

Cmdr. Jody D. Donaldson, head of the Alexandria Police Department’s Media Services Unit, said crooks sell skimmers in different adaptations and colors depending on the make and model of the ATM that their thieving customers want to target. The skimmer attached to the front of the Wachovia ATM for example, was manufactured for a specific model of Diebold ATMs, Donaldson said.

Donaldson said several customers have come forward to report fraudulent charges on their bank cards, with current losses from the incident estimated at more than $60,000.

Read on after the jump about how the skimmer used in this attack matches a model sold online by criminals in rent-to-own kits, complete with instructional videos and software that divvies up the stolen data.

The business end of a standard, $1,500 Diebold skimmer sold online.

Interestingly, after my last story on ATM skimmers, I received several spammy comments on the entry directing readers to a site that specializes in selling ATM skimming devices. That site sells a Diebold ATM skimmer that is apparently identical to the one found attached to the Alexandria ATM starting at a base price of $1,500 (see image at right). If the thief wants to have the stolen data sent to him from a safe distance via a wireless technology — such as Bluetooth or cell phone (GSM) — the price for one of these Diebold skimmers increases to $2,000 or even $2,500.

The site also advertises a sort of rent-to-own model for would-be thieves who need seed money to get their ATM-robbing businesses going. “Skim With Our Equipment for 50% of Data Collected,” the site offers. The plan works like this: The noobie ATM thief pays a $1,000 “deposit” and is sent a skimmer and PIN pad overlay, along with a link to some videos that explain how to install, work and remove the skimmer technology.

The backside end of a standard, $1,500 Diebold skimmer sold online.

Employees are instructed to download specialized software written by the employers that pulls the stolen data off of the card skimmer at the end of a day’s “work.” The software also automatically uploads the stolen card data to the employer’s servers. The employee allegedly holds the key to making sure his employers don’t just make off with 100 percent of the stolen data, as he retains stolen PIN information.

“This way, you will have pad numbers we will have track info and we split them 50% each on cashout day,” the site explains. “We have to decide a working day from total amount of tracks you will have send us our % of pin numbers and we will send your % of tracks info, then exactly the same day will do the final job cash out.”

A bogus Diebold ATM PIN pad overlay sold online for $1,700.

Of course, the entire site could be little more than a very clever scheme to bilk gullible thieves out of $1,000: Not surprisingly, the site owners only accept irreversible forms of payment, such as wire transfers or money orders.

Update, 1:47 p.m. ET: I was just interviewed about this article on The Kojo Nnamdi Show, part of WAMU 88.5 FM, a National Public Radio news station in Washington, D.C. You can listen to a recording of that show at this link here.

Update, March 26, 11:13 p.m.: I was meeting a source in Washington, D.C. today and happened to walk past another Wachovia ATM. I was so struck by the fact that I could not tell the difference between the skimmer-tainted ATM in the post above and this machine in D.C. that I snapped these photos. The ATM in question is right next to the Archives/Navy Memorial Metro Station.

[EPSB]

Have you seen:

ATM Skimmers: Separating Cruft from Craft…The truth is that most of these skimmers openly advertised are little more than scams designed to separate clueless crooks from their ill-gotten gains. Start poking around on some of the more exclusive online fraud forums for sellers who have built up a reputation in this business and chances are eventually you will hit upon the real deal.

This entry was posted on Thursday, March 25th, 2010 at 12:45 am and is filed under A Little Sunshine, All About Skimmers, Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

91 comments

What leads anyone to believe that chip cards are secure? There is a more expensive chip inside my PC. It can be hacked, cloned, malwared and needs 24.6 security updates a week. The chip in a chip card is not as tasty as it is assumed to be.

Chip cards are more secure because the data doesn’t flow from the card in plaintext format like the magstripe cards. The cards have an internal crypto engine and private key. The card can not be cloned easily because to clone it, you would have to use the same private key, which is never disclosed. That’s not to say it’s 100% impossible, just impractical to do on a large scale. In this type of case, the thieves wouldn’t realistically be able to pull it off with such simple skimming equipment.

You are absolutely right. The fact that we still use mag-stripe cards in 2010 is insane. It all boils down to cheap. The smart cards are getting even smarter with flashable encryption that can be changed inside the ATM or any bank machine on a regular basis, preventing even copying the key. Facial recognition has come so far you can log into your laptop just by looking at it. Biometrics has made it to where you can be identified by a shadow. Any of this technology can be used to prevent the type of “easy money” fraud that attacks people on a daily basis. Petition your institution for a better security solution from a professional security provider. The in-house ” I can fix it” routine is old news.

Yes you are right it is more secure now, the problem is and i can speak on behalf of a top level person at one of the big credit card companies who was around when they first introduced the magnetic stripe system. Back then they really truely believed the technology to read/write to magnetic stripes on cards wouldnt get out into the public on a wide scale… i know it seems ridiculous now but thats really what they thought and what they were told back then. Now of course they are cheap and found all over the web and the decision makers feel burnt by technology. The point is, in the minds of the people who are the decision makers on this issue I can tell you from casual conversation they are seriously concerned about rolling out an infinitely more expensive chip system only to have some new electronic gizmo turn up which can somehow read the secret key off the card through peoples pockets, maybe not now but in 5 or 10 yrs time when they cant roll back. Im not sure from an electronics point of view how feasible this senario is, not many do, however this might help explain the reluctance on the part of the card industry to fully support chip cards.

The technology that you mention that can be read from a distance is not the same that is being used in ATM’s. There are contact chips and proximity chips. The exposure with proximity chips is that they can be read at a certain distance even when they are in you wallet. You are right, in 5 or 10 years from now the technology might be avaialble to decrypt the keys on the chips, but for that time the billions of dollars saved in fraud will pay for the technology that will reinforce the chip to the point that it will take 150 years to beak the encryption code in the, by then the owner of the card will be long gone or dead.

@Jose NAVARRO
Actually since this post I saw a recent demonstration of this device http://www.riscure.com/inspector/product-description/inspector-sca.html which is for sale right now at a reasonable price.
They had a table at CARTES in Paris and were pulling the secret sopposedly hidden keys off all types of smart cards right there in front of all the smart card manufacturers. Caused quite a stir. It didnt matter about the encryption used as they had configurable cryptanalysis modules for SPA, DPA and higher-order DPA on a large number of algorithms including 3-DES, AES, RSA and ECC etc.
You can see by the photos it still the size of a small science kit but I would say its only a few years away before the next generation of this is small enough to be used fraudulently and sold alongside the magnetic stripe read/writers if it isnt being used already in some way.

The idea that decision-makers are hesitant to replace a seriously broken technology with a more secure one “because it might not be secure in the future”, is absurd. No one would look back, 10 years from now, and say “Damnit, they hacked the chip cards. I wish we could go back to Mag stripes.”

It’s just money. The cost of dealing with theft is currently not more than the cost of upgrading the system. It’s as simple as that. They’re pinching pennies while the public gets ripped off. The only banks doing it are ones that think they can sign more high-end customers simply because their cards were more secure.

I disagree with you there. It is better to stay with the magstrip. It will be costly to have a chip cards. Think it will cost to have a PC chip in our computers. The theives will hack the chips like on the PC. It seem to be secure. The crooks ever run out of ideas to beat the system. They alwasy figure out ways to get around of stealing peop;e money.It will cost more to have a chips then the credit cards nd debits cards. I would think,

I think there is to be a ATM machine that has no indent area where there is not place to fix a dummy key pad,camera and
card reader on it. ADT has a device that goes inside the ATM
machine to scramble the credit card information. Have a hidden security camera catching these skimmers as they put these skimming devices on the machines. I think there should be a monitor in side the bank viewing the ATM machines. Credit cards company should have the credit card encryp embeded in them. The customer should look for a person who is in the cars or standing with hand devices to pick up the credit cards information. When puching the pin numbers sheild the pad with the other hand. The customers should serach the ATM machine out for out of the ordenaory look of the machine. I can go on and on. It is to bad that not to many people know abot the skimming to protect their infoemation on these credit cards or debit cards.

I think the numbers on the key pad to be on a small screen below . This way the crook can not put a device over the pin pad. Still the bamk customer have to sheild the number as it is being punch in. The card reader should be scan. Not insert. The ATM machine should have a whole make over with new security devices in and out side. The credit cards company should emcryp the cards. The blank credit and debit cards should be disstribute to the banks and credit union only. Not to people.The gifts cards are easly scam to wipe out information on a hand held or big scanner of inforamation to put stolen credit cards information on them. The stores should have gifts cards behind their counters. The theives will scracth off the numbers while they are still on the racks. People should be educated on this.

Canadian Banks are deploying chip technology in credit and debit cards. Their weakness, that we have to leave the mag stripe so that when clients travel to the US or Europe they can use their credit or debit cards.

I believe a scandinavian country legislated chip cards for all citizens and mag stripe readers are available on ATMs for tourists. Their fraud has been reduced to 0.o1% and I beleive it is mag stripe related.

I personnaly demagnitized the mag stripe in my debit card, since my Bank recognized the chip on the card and I do not purchase any items with merchants that do not read the chip.

Is time to get with the times, for those of you that think that you do not pay for the fraud on ATMs, yous just have to look at your banking service charges to realize you pay and quite handsomely.

There is one difference between the skimmer and the original ATM that is easy to see. Look at the ring of lights around the entry slot. The skimmer has a spot that does not have a light. This is where the mechanism for reading the card is. If you look at the original ATM entry slot, the ring of lights is unbroken.

Mr. Krebs:
I sent you a previous comment this morning — I’m the TV producer for the City of Tallahassee’s government TV channel who’s producing a story about ID theft and ATM skimming.
I’m producing a story about ID Theft and one of the topics covered is ATM skimming. I’ve found a second picture you’ve run in your blog I would like to use in my story. This picture is located at krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/
As I noted above, our channel is a cable-access channel, so we’re not broadcast over the city but are available to Tallahassee cable subscribers.
Please let me know by return e-mail if it’s ok to use your image in my story.

I think smart card technology is the way to go forward. Even with Side Chanel Attack, it is not possible to do skimming a card and crack encryption based chip tech in short time frames that people use an ATM. Besides it is infinitesimally complex to do so compared to magnetic stripes skimming.
I don’t think it is possible to do such comprehensive analysis -it is a complicated evidence(tell tale signals) based technique in the short time window of an ATM card use. Even if readers are developed that can be placed on an ATM as surrogates in future. And it also makes a possible future skimmer more costly and less accessible to all thieves. One should also remember that smart cards have more physical variety compared to magnetic stripe technology, another factor that complicates an SCA attack.
And cryptoanalysis (the soft side) techniques also needs larger time frames than typical ATM card use but it is possible to upgrade the firmware (like how we upgrade computers to keep the protection more relevant).
To sum up I feel it is the transition cost factor that is stopping the adoption. The mobile industry embraced the technology early on so we find chip cards in mobiles while banking industry went the magnetic stripe way and now feels a compulsion to move forward